2014-11-07 Instructure Advisory IAC31137 - Multiple stored XSS vulnerabilities

Document created by jordan@instructure.com on Sep 22, 2015Last modified by scottd@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2014-11-07  (Last update can be found below the document title)
  Description:Multiple stored XSS vulnerabilities
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By: Internal audit
  Relevant Changesets:

fix html escaping on content migrations page · instructure/canvas-lms@08761ca · GitHub



               During a routine security audit of the Canvas code base and platform, a number of cross site scripting vulnerabilities were identified. Once identified and                confirmed, these vulnerabilities were patched by the Instructure engineering team.




All systems were patched as of 15:32 MT on 11/6/2014